认证-------授权案例-优快云博客

本文链接：https://blog.youkuaiyun.com/magic_818/article/details/128243163

本文介绍如何使用 Spring Boot 整合 Spring Security 进行用户认证与授权。内容涵盖依赖引入、数据库配置、Mapper 文件编写、实体类创建、DAO 接口定义、认证与授权配置等步骤。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

一.导入依赖

 <!--springboot整合security坐标-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <!-- MyBatisPlus依赖-->
        <dependency>
            <groupId>com.baomidou</groupId>
            <artifactId>mybatis-plus-boot-starter</artifactId>
            <version>3.5.1</version>
        </dependency>
        <!--LomBok依赖-->
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
        <!--mysql-connector依赖-->
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>

二.建立构造

三.配置文件

server.port=8080
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/springsecurity?serverTimezone=UTC
spring.datasource.username=root
spring.datasource.password=123456
mybatis-plus.mapper-locations=classpath:mapper/*Dao.xml

四.代码部分

mapper文件

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="cn.woniu.dao.UserDao">
    <!--    查询全部-->
    <select id="queryAll" parameterType="java.util.List" resultType="cn.woniu.entity.Users">
        select id,username,account,password from t_user
    </select>
    <!--    登录功能,通过账号查询-->
    <select id="login" resultType="cn.woniu.entity.Users">
        select id,username,account,password from t_user where account=#{account}
    </select>
</mapper>

实体类

package cn.woniu.entity;

import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;

@Data
@NoArgsConstructor
@AllArgsConstructor
public class Users {
    private Integer id;
    private String username;
    private String account;
    private String password;
}

Dao

package cn.woniu.dao;

import cn.woniu.entity.Users;

import java.util.List;

public interface UserDao {
    List<Users> queryAll();


    Users login(String account);


}

认证

package cn.woniu.config;

import cn.woniu.dao.UserDao;
import cn.woniu.handler.LoginSuccessHandler;
import cn.woniu.service.MyUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

/**
 * Spring Security配置类
 * 在springboot2.7 后WebSecurityConfigurerAdapter弃用了，用2.5.4
 */
//EnableWebSecurity注解有两个作用,1: 加载了WebSecurityConfiguration配置类, 配置安全认证策略。
//                              2: 加载了AuthenticationConfiguration, 配置了认证信息。
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired(required = false)
    @Lazy
    private MyUserDetailsService myUserDetailsService;
    /**
     * 将PasswordEncoder注入到ioc容器
     *
     * @return
     */
    @Bean
    public PasswordEncoder getPassword() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(myUserDetailsService).passwordEncoder(getPassword());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.formLogin()//告诉security 使用自定义登录页面
                .loginPage("/login.html")//告诉security,页面在哪里
                .loginProcessingUrl("/dologin")//告诉表单要提交的地址
                //注册登录处理类
                //.successHandler(new LoginSuccessHandler())
                .permitAll();
        http.authorizeRequests().anyRequest().authenticated();////所有请求都拦截
        http.csrf().disable(); //关闭跨站脚本攻击

    }

}

EnableWebSecurity注解有两个作用:
1: 加载了WebSecurityConfiguration配置类, 配置安全认证策略。                             2: 加载了AuthenticationConfiguration, 配置了认证信息。

因为我们是用认证的话,返回会返回一个登录界面,http.formLogin则是直接放弃使用界面,使用自定义的登录界面

授权部分

package cn.woniu.service;

import cn.woniu.dao.UserDao;
import cn.woniu.entity.Users;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;

/**
 * spring security认证业务类
 */
@Service
public class MyUserDetailsService implements UserDetailsService {
   @Autowired(required = false)
   private UserDao userDao;
    @Autowired(required = false)
    private PasswordEncoder passwordEncoder;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        Users users = userDao.login(username);
        //将查找到的用户帐号与密码保存到Security的User对象中由Security进行比对
        try {
            return new User(users.getAccount(),passwordEncoder.encode(users.getPassword()),
                    AuthorityUtils.commaSeparatedStringToAuthorityList("submit"));
        } catch (Exception e) {
            e.printStackTrace();
            throw  new UsernameNotFoundException("用户名或者密码输入错误");
        }
        //配置登录用户有哪些角色和权限，此处模拟直接写死

    }
}

UserDetailsService
这个继承表示的是自定义账号密码

Controller层

package cn.woniu.controller;

import cn.woniu.dao.UserDao;
import cn.woniu.entity.Users;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

import java.util.List;

@RestController
public class UsersController {
    @Autowired(required = false)
    private UserDao userDao;

    @RequestMapping("/submit")
    @PreAuthorize("hasAnyAuthority('submit')")
    public List<Users> login(){
            return userDao.queryAll();
    }
    @RequestMapping("/list")
    @PreAuthorize("hasAnyAuthority('submit')")
    public List<Users>queryAll(){
        return userDao.queryAll();
    }
    @RequestMapping("insert")
    @PreAuthorize("hasAnyAuthority('submit')")
    public String addUserInfo(){
        return "insert";
    }
    @RequestMapping("update")
    @PreAuthorize("hasAnyAuthority('submit')")
    public String updateUser(){
        return "update";
    }
    @RequestMapping("delete")
    @PreAuthorize("hasAnyAuthority('submit')")
    public String delete(){
        return  "delete";
    }
    @RequestMapping("select")
    @PreAuthorize("hasAnyAuthority('submit')")
    public String select(){
        return "select";
    }
}

现在认证授权是通过注解,由以下两部分